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Abstract 

For a completely distributive quantale L, L-fuzzy strongest postcondition pred- 
icate transformers are introduced, and it is shown that, under reasonable as- 
sumptions, they are linear or affine continuous mappings between continuous 
L-idempotent semimodules of L-fuzzy monotonic predicates. 
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Introduction 

Predicate transformers, which were introduced in the pioneering work of 
Dijkstra @, are powerful tools for analyzing the total or partial correctness 
of computer programs. The main idea is that a final state after execution 
of a program depends on its initial state; hence there is an interdependency 
between validity of statements (predicates) about the initial and the final states. 
One can ask, e.g., what are minimal requirements on an initial state that ensure 
that the final state satisfies a certain condition. Then these requirements form 
the weakest precondition for the given condition. On the other hand, the most 
precise knowledge about an output of a program for an input, that satisfies some 
predicate, is the strongest postcondition for this predicate. Such "forward" and 
"backward" dependencies are called predicate transformers. 

Things become more complicated because of randomness or/and non-deter- 
minism, which can arise from unpredictable influence, "angelic" or "demonic" 
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(with the obvious connotations) . For simplicity, assume first that only random- 
ness is present, and a set S of possible states is finite. We mostly follow [lfjj], but 
notation will partially vary. A subprobabilistic distribution D : S [0, 1] guar- 
antees that the probability of each state s G S is at least D(s). Obviously it is 
required that J2 sGS D(s) ^ 1, and 1 — X^eS D(s) "goes to" unspecified state of 
the system. We say that a subprobabilistic distribution D is refined by another 
subprobabilistic distribution D' on S (written D C D') if D(s) ^ D'(s) for all 
s G S; this means that D' offers more precise knowledge than D. This partial 
order makes the set S of all subprobabilistic distributions on S a complete lower 
semilattice, with the bottom element 0="no information". 

A random variable a : S — > M+ is called a probabilistic predicate, and 
a(s) can be treated as a degree of appropriateness of s € S for some purpose 
(the more, the better). In particular, if a(S) C {0, 1}, then all elements of 5* are 
divided into "bad" and "good". For a subprobabilistic distribution D, the ex- 
pectation j D a — J2sgS D(s) ' a ( s ) i s a maximal expected degree guaranteed 
byD. 

A deterministic probabilistic program p : S — > S sends each initial state s G S 
to a subprobabilistic distribution p(s) of possible finite states, where the prob- 
ability 1 — J2 s '£sP( s )( s ') ^ s re l a ted to unknown behaviour of the program, in 
particular, to the cases when the program does not terminate. Similarly, a pro- 
gram p' : S — )■ S refines a program p : S — s> S (written p C p') if p(s) C p'(s) for 
each initial state s € S. If an initial probability distribution is partially described 
(estimated from below) by a subprobabilistic distribution D G S, then a proba- 
bility of a final state s' G S is greater or equal than D'(s') = J2 seS D(s)-p(s)(s'). 
Therefore, for a probabilistic predicate /3 : S — > M+, the expectation after exe- 
cution of the program has the best estimate from below: 

[ P= D(s) -pises') -P(s'). 

Jd ' s,s'£S 

A predicate a : S — > R+ is called a (probabilistic) precondition for /3, and j3 
then is a (probabilistic) postcondition for a, if for eac/i initial subprobabilistic 
distribution D G S and the respective final subprobabilistic distribution D' G 5, 
we have J D a ^ Jd'^^ '• e- > ^ ne ex P ec ted value e ^ of a guarantees that 
the expectation of /3 is also equal or greater than e. It is easy to see that 
the strongest (i.e., the least) postcondition sp{p){a) of a is determined with 
the formula 

sp(p)(a)(s')=J2a(s)-P(s)(s')i s'GS. 

ses 

Observe that all probabilistic predicates on 5* form a cone, and the mapping 
sp(p) is additive and positively uniform, i.e., preserves multiplication by non- 
negative numbers. In this paper we shall construct and investigate an analogue 
of this mapping. Similarly, for a given predicate /? G S, a weakest (greatest) 
precondition wp(p)(/3) can be found. See [16J on how nondeterminism can be 
incorporated into this model by mapping each initial state not to a single dis- 
tribution, but to a set of distributions. 
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This is also closely related to the notion of approximate correctness of a com- 
puter program [l5| . Although a number that expresses "approximateness" can 
be also treated as degree of belief, the entire theory by Mingsheng Ying is based 
on probabilistic logic and well suited to study probabilistic programs. It is also 
focused more on uncertainty of assumptions and conclusions than on imprecision 
in description of input and output data, as one could expect based on the term 
"approximate" . For example, the refinement index of two probabilistic predi- 
cates is defined as the belief probability to which one probabilistic predicate is 
refined by another. There are several parallels between this theory and what 
we are doing in the sequel. 

This approach, however, has intrinsic restrictions: we assume that a system 
is sufficiently described with knowledge which states or random events (sets 
of states) are realized, or what are the probabilities of their realization. For 
a simple program, like the examples in 16[, this assumption is realistic, but if, 
e.g., our program removes artifacts from a sufficiently large colour image, then 
the state space S is too huge to apply the above apparatus. To reduce S, one 
can divide all possible images into a reasonable number of classes. Boundaries 
between these classes cannot be clear; therefore the predicates will not be toler- 
ant to small changes in images. Next, careful study of probability distributions 
of the class of a possible output for a given class of an input image is a non- 
trivial task. Even if this goal is achieved, the respective predicate transformers 
describe average results, and say nothing about rare extreme cases, which may 
make the program unusable. 

For such "huge-dimensional" cases we suggest to resign from the purely 
probabilistic approach and to decrease the "dimensionality" by allowing fuzzy 
predicates. The idea is to have less predicates, which may be "more or fewer" 
true, and their values for each possible portion of information about a system 
present the greatest known degrees of truth, certainty, precision, quality etc, 
which we can reliably count for. For example, such a predicate can assign 
to each square part, with integer coordinates of the vertices, of a given image 
a numerical measure of its quality. Then an image is incompletely but efficiently 
described with a finite collection of numbers, which is considered to be the value 
of the predicate. Observe that two such collections can be incomparable, e.g., 
if two images are damaged in different places. Hence the considered predicates 
can attain values in sets which are only partially ordered, although fuzziness is 
most often expressed on a numeric scale, e.g., [0, 1]. 

^From now on we shall talk about "truth values" of fuzzy predicates, but 
this term is used for the sake of convenience and does not restricts possible 
interpretations to fuzzy logic only, although it is also possible. We expect that 
all known semantics of fuzziness @, H[ can be applied; see the examples in 
the next section. 

Fuzzy predicate transformers also have been studied mostly in [0, l]-settings 0, 
Q|. This paper is devoted to constructing and investigating L-fuzzy (where L is 
a suitable lattice) strongest postcondition predicate transformers that are de- 
termined by state transformers, i.e., by L-fuzzy knowlegde about what we can 
expect (more precisely, what is guaranteed in the worst case) for each initial 
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state of a system. We are interested in order and topological properties of pred- 
icate transformers. It will be shown that spaces of predicates are idempotent 
scmimodules, which are analogues of vector spaces, and under certain (not very 
restrictive) conditions the strongest postcondition predicate transformers are 
linear or afhne continuous mappings between these semimodules. 

1. Semimodules of monotonic predicates 

Throughout this paper, if /, g are functions with a common domain, a is 
a constant, and * is a binary operation, then we denote by / * g, a * f and 
/ * a the functions with the same domain obtained by pointwise application 
of the operation * (provided it is defined for the corresponding values). In 
the sequel sup p and inf p for a family of functions with a common domain to 
a poset will denote the pointwise suprema and infima, respectively. 

See for basic definitions and facts on partially ordered sets, including 
continuous semilattices and lattices. Here we shall recall only notation and 
a few definitions. For a poset X, the same set, but with the reversed order, is 
denoted by by X op . An element a approximates b or is way below 6, in a poset 
X, which is written as a <C b, if, for each directed subset C C X such that 
b ^ supC, there is c S C such that a $C c. A poset X is called continuous if, 
for each b G X, the set of all a <C b is directed and has b as its lowest upper 
bound. A poset is directed complete if each its non-empty directed subset has 
a least upper bound. A continuous directed complete poset is called a domain. 
A domain which is additionally a meet semilattice (a complete lattice) is called 
a continuous semilattice (respecticely a continuous lattice). 

The Scott topology on a poset X is the least topology such that all lower 
sets C that are closed under directed suprema are closed. The lower topology 
on X is the least topology such that the sets {a G X \ b ^ a} are closed for all 
b G X. The join, i.e., the least topology that contains the Scott and the lower 
topologies, is called the Lawson topology. 

In the sequel L will be a completely distributive lattice, i.e., a compact Haus- 
dorff distributive Lawson lattice with its Lawson topology. A topological lattice 
(semilattice) is said to be Lawson if for each point it possesses a local base that 
consists of sublattices (respectively of subsemilattices). Note that the same is 
true for L op . We denote by 0, 1, ©, and ® the bottom element, the top element, 
the join, and the meet in L, respectively. The elements of this (arbitrary, but 
fixed throughout the paper) lattice will be used to express truth values. The op- 
eration © is the disjunction, but the conjuction does not necessarily coincide 
with (g>. Although complete distributivity is a very strong requirement, a lot 
of important lattices fall into this class, e.g., all complete linearly ordered sets, 
including I = [0, 1] or any other segment in R, all finite distributive lattices, all 
products of completely distributive lattices, in particular, I T for all cardinals r. 
In fact, a lattice is completely distributive if and only if it is order isomorphic 
to a complete sublattice of some I T . 

We shall also use basic notions of denotational semantics of programming 
languages. Consider a state of a computational process or a system. All possi- 
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ble (probably incomplete) portions_of information we can have about this state 
form a domain of computation D Q. This set carries a partial order ^ which 
represents a hierarchy of information or knowledge: the more information an el- 
ement contains (i.e., the more specific/restrictive it is), the higher it is. See [9] 
for more details, in particular, for an explanation why it is natural to demand 
that D is a domain, i.e., a continuous directed complete poset. In addition to 
this, it is also often required that there is a least element OGfl (no information 
at all), and that for all a and b in D there is a meet a A b, which, e.g., can be 
(but not necessarily is) treated as "a or b is true" . 

Following [l3j], for a domain D we call elements of the set [D — > L op ] op L- 
fuzzy monotonic predicates on D (here [A — > B] stands for the set of mappings 
from A to B that are Scott continuous, i.e., they preserve directed suprema). 
For m € [D — > L op ) op and a £ D, we regard m(a) as the truth value of a; hence 
it is required that m(b) ^ m(a) for all a ^ b. The second op means that we order 
fuzzy predicates pointwise, i.e., mi ^ mi iff mi (a) ^ m2(a) in L (not in L op !) 
for all a £ D. We denote M [L] D = [D ->■ L op ] op , and, for a domain D with 
a bottom element, consider also the subset M^D C M^D of all normalized 
predicates that take £ D (no information) to 1 6 L (complete truth) . Observe 
that M^D is a complete sublattice of M^D. 

Example 1.1. Let a system have a finite or countable state space S. Each subset 
A C S is identified with it characteristic mapping xa ■ S —> {0,1}, which is 
a Boolean predicate "current state s is in A" . A smaller subset A corresponds to 
more information; therefore the set D of all subsets of S is partially ordered by 
reverse inclusion. Then D is a continuous lattice, and the {0, l}-fuzzy monotonic 
predicates on D are precisely xa for all A C S. 

If the system changes its state randomly, then different schemes are possible. 
Generally, an incomplete probabilistic knowledge is a mapping m : D — > [0, 1] 
such that for all A C S the probability P(A) is at least m(A). Of course, 
A ^ B, i.e., A D B, implies m(A) ^ m(B), and er-additivity of probability 
requires that m sends the directed unions of subsets of S to the corresponding 
suprema in [0, 1]. Thus m is a [0, l]-fuzzy monotonic predicate. 

Observe that m may not necessarily be reduced to a collection of estimates 
for the probabilities of individual states s S S. For example, if all that we know 
is P({si,S2}) ^ 0,5, then the only subprobabilistic distribution that is surely 
less or equal than the actual distribution is trivial, i.e., zero for all states. 

Of course, m can be determined by (sub)probabilistic distributions. Let 
an exact probability distribution be unknown, but one of n possible, which are 
bounded from below respectively by subprobabilistic distributions Pi , P2 , . . . , P n £ 
S. The greatest guaranteed probability of a random event A £ D is equal to 
m(A) = infi^i^ n ~^2 seA Pi{s). Then m is a [0, l]-valued fuzzy monotonic predi- 
cate, which "aggregates" all possible probability distributions in the assumption 
of "demonic" non-determinism. 

Thus numeric fuzzy predicates can arise in purely probabilistic settings, with 
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the semantics "truth value = guaranteed probability" . Observe that the prob- 
ability of S is always 1, hence the mentioned predicates may be considered 
normalized. 

Example 1.2. Let an image be divided into n parts, and the quality of each of 
them can be rated in the scale L = {0,1,..., m}, e.g., 0="awful", l="bad", 
. . . , m= "perfect" . Then the state space is equal to S = L n . The domain of 
computation D can also be put equal to L", and d = (di, d%, . . . , d n ) will mean 
"the actual quality s, of i-th part is not worse than dj for all 1 ^ i ^ n" . 
This implies that (d%, d%, . . . , d n ) ^ (d' 1; d' 2 , ■ ■ . , d n ) in D if and only if d\ ^ d^, 
d 2 < d' 2 , . . . , d n < d' n . 

For each q = (q%, q 2 , . . . , q n ) £ L n , let the predicates m q , m' q , m' q : D — > L be 
defined by the formulae: 

m q ((di, d 2 , . . . , d n )j = maxjfc G L | di qi — (m — fc) for all i = 1, 2, . . . , n}, 
m' q ((di 7 d 2 , . . . , d„)J = maxjfc G i | dj min{fc, g^} for all i = 1, 2, . . . , n}, 
mg((di, d2, . . . , d n )J = maxjfc G L | maxjdi, m — k} ^ for all i = 1,2,..., n} 

for all (di, d2, . . . , d„) G 5. Then m q ((di, d 2 , . . . , d n )) shows the worse relative 
loss of quality w.r.t. (qi,q 2 , . . . ,q n ), m'„\(d\, d 2 , . . . , d n )J shows "below what 
degree" the quality of (di, d2, . . . , d„) is not worse than (gi, q 2 , . . , , q n ), and 
m q ((di, d 2 , . . . , d n )) shows "above what degree" the quality of (di, d 2 , . . . , d„) 
is not worse than (qi, q 2 , . . . , q n ). In all these cases the predicates compare 
the guaranteed quality of an input with a desired one. Thus we can construct 
a predicate like "the image is perfect at the center and at least good at the an- 
gles". 

Moreover, we can rate parts of an image in several aspects, with separate 
scales L\, L 2 , . . . , L r for each, then the resulting L = L\ x L 2 x • • • x L r will be 
a finite distributive lattice, which is not linearly ordered. 

It follows from [l(J Theorem 4] (classified as "folklore knowledge" in [l3j]) 
that, for a domain D and a completely distributive lattice L, the set [D — > L op ] 
is a completely distributive lattice as well. Hence this is also valid for M^D 
and (if D contains a least element) M^D. 

For an element do G D, we denote by rj^D{do) the function D — > L that 
sends each d G D to 1 if d ^ do and to otherwise. It is easy to see that 
r][ L ]D(do) G M[ L ]Z) C M[ L ]Z?, and 5® = r][ L ]D(0) is a least element of M^D. 

Lemma 1.3. For a domain D, the mapping n^D : D — > M^D is continuous 
w.r.t. the Scott topologies and w.r.t. the lower topologies. If D is a complete 
continuous semilattice, then n^D is an embedding w.r.t. the Scott topologies, 
the lower topologies, and the Lawson topologies. 

Proof. Obviously, r][i J ]D(di) ^ r][i J ]D(d 2 ) if and only if di ^ d2. Observe also 
that 77[i]D(do) is a least m G M[l]D such that rn(do) = 1. If V G D is directed 
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and sup V = do, then snp{r][ L ]D(d) \ d £ T>} is a least m £ MmD such that 
m ?7[z,]-D(<i) for all d £ T>, which is equivalent to m(d) = 1 for all d £ T>. Since 
rn : D — >• L op is Scott continuous, i.e., it preserves directed suprema, which is, 
in turn, equivalent to w(sup2?) = m(do) = 1. By the above such m is equal to 
r)[L]D(do). Hence r][L]D preserves directed suprema as well. 

To show that t)\l\D is lower continuous, it suffices to show that, for all 
m £ M^D, the set 

^ijD-^roH) = {do£D\ r, [L] D{d Q ) > m} 

is closed in the lower topology on D. The inequality TfrnD(do) m means 
that rj\L]D{do)(d) = 1 for all d £ D such that m(d) ^ 0; in other words, do is 
an upper bound of the set {d £ D \ m(d) ^ 0}. This implies that 

r, [L] D-\{mtf) = f]{{dn C D \ m(d) ^0,d£D}, 

which is closed in the lower topology on D. 

If D is a complete continuous semilattice, then it is compact Hausdorff in 
its Lawson topology; therefore a continuous injective mapping from it to a com- 
pactum M[ L ]D is an embedding. Due to the completeness of D, this implies 
that the isotone mapping Wn-D is also an embedding w.r.t. the Scott topologies 
and w.r.t. the lower topologies. □ 

Therefore we consider D as a sub dcpo of M[l]D, and a complete continuous 
semilattice D is additionally a subspace of Mr L ]D w.r.t. the Scott, the lower, 
and the Lawson topologies on the both sets. 

Infima and finite suprema in the complete lattices Mr L iD and M^D of func- 
tions are taken pointwise, whereas arbitrary suprema are described by the fol- 
lowing easy, but useful statement. For a function / : D — > L, let 

f u (b) = mf{/(a) | a £ D,a < b}, for all b £ D. 



Observe that f u is always a monotonic predicate. Moreover [21j, Lemma 1.4 



Lemma 1.4. For an antitone function f : D — > L, the function f u is the least 
monotonic predicate f such that f ^ /' pointwise. 

Hence, for a family T C M[l]D ( or -F C M[ L ]D), we have inf T = inf p T, 
sup J 7 = (supp T) u . For finite T ', the latter u can be dropped. 

Lemma 1.5. Let a set J- C M^D (or J- C M^D) be compact in the rela- 
tive lower topology. Then sup p J- £ M^D (resp. suppJ 7 £ M^D); therefore 
sup T — supp T . 

Proof. Assume to the contrary, that there exists oq £ D such that 
sup{/(a) /eJ}^a^ao = sup{/(a ) | / £ J 7 } 
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for all a G D, a <C do- The complete distributivity of L implies that there is 
f3 E L such that j3 ^ a, (3 ^ a , and if T C £ satisfies supT > a, then there is 



7 G r, 7 (8 (such /3 is said to be way-way below a, cf. 11|). The set 
T a = {feT\ /(a) ^ /3} = {/ G J" | / > m}, 

where 

m(a') = ( Aa ' <a ' for a' e D, 

is closed in J 7 . The family { J- a \ a <C oq} of nonempty sets is directed; therefore 
by compactness it has a common element /o G J 7 , i.e., /o(a) P for all a<ao. 
Then by the Scott continuity of /o : D — > i op we obtain 

a = sup{/(a ) | / G J 7 } ^ /o(a ) > /3, 
which is a contradiction. □ 

We use notation © and ® for respectively joins and meets both in Mt L iD 
and M^D. 

In the sequel we shall additionally require that L be a unital quantale (20j , 
i.e., there exists an associative binary operation * : L x L — > L such that 1 is 
a two-sided unit and * is infinitely distributive w.r.t. supremum in both vari- 
ables, which is equivalent to being continuous w.r.t. the Scott topology on L. 
Observe that, for such *, its infinite distributivity w.r.t. infima also means conti- 
nuity w.r.t. the Lawson topology on L. Recall that we treat © as a disjunction, 
and * will be a (possibly noncommutative) conjunction in an L-valued fuzzy 



logic [12J. The Boolean case is obtained for L — {0, 1}, © = V and * = A. On 
the other hand, let the finite linearly ordered set L = {0, 1, . . . , m} be used to 
express absolute and relative quality of input, certainty, precision, etc., cf. Ex- 
ample [TT^I Then the operations i*j = min{i, j} and i*j = max{i+j — m, 0} can 
be reasonable choices, which reflect the natural assumption that combination 
of two distorted, imprecise, or uncertain inputs produces an equally or more 
distorted, imprecise, or uncertain output. 

Lemma 1.6. For a G L, a predicate m G M[l\D, and an antitone function 
f : D L, we have m(b) a * f(b) (resp. m(b) f(b) * a) for all b G D if and 
only if m(b) > a * f u (b) (resp. m(b) ^ f u (b) * a) for all b G D. 

Proof. Since / < "if" is trivial. Assume that m(b) ^ a* f(b) for all b G D. 
Then for all a G D, a <C b the inequality f u (a) ^ f(b) implies m(a) ^ a* f u (b). 
Putting a —> b, we obtain m(b) ^ a * f u (b). □ 

Remark 1.7. The latter statement can be expressed by the formulae: 

(a* /r = («*rr, (/*<*)« = (/«*<, 
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for each antitone function / : D — > L and a £ L. It is also easy to see that, for 
a family {/, | i £ 1} of antitone functions D — > L, the equality 

(sup p ji)" = (sup p (/i)")" 
iez iei 

is valid. 

The operation * induces binary operations © and © on the posets M mJ 
and Mtm-D, which make them L-idempotent compact Lawson semimodules [19|. 
Recall that a (left idempotent) (L, 0, *)-semimodule [l| is a set X with oper- 
ations ffi : X x X — > X and * : L x X — > X such that for all x,y,z £ X, 
a,(3 £ L : 

(1) zffij/ =j/ffiz; 

(2) (x®y)@z = x®{y®z); 

(3) there is an (obviously unique) element £ X such that x © = x for all 

x; 

(4) ai(i©y) = (aii) ©(a *y), (a © /3) 5 x = (a 5 x) ffi(/3 5 x); 

(5) (a * (3) * a; = a 5 (/3 * x); 

(6) 1 + 1 = 3;; and 

(7) 5 x = 0. 

Observe that these axioms imply that (X, ©) is an upper semilattice with a 
bottom element 0, and a * = for all a £ L. The operation * is isotone in 
both variables. 

Hence an (L, ©, *)-semimodule is an analogue of a vector space. Similarly, 
analogues exist for linear and affine mappings. A mapping / : X — > Y between 
(L, ©, *)-semimodules is called linear if, for all x\, . . . ,x n £ X and oil, . . . , a n £ 
L , the equality 

/(ai * xi © . . . © a„ 5 x n ) = ai 5 f(xi) ©...©«„* f(x n ) 

is valid. If the latter equality is ensured only whenever oil © . . . © a n = 1, 
then / is called affine. Observe that an affine mapping / preserves joins, i.e., 
/(oiiffia^) = f(xi)®f{x2) for all xi,X2 £ X. An affine mapping is linear if 
and only if it preserves the least element. 

We call a triple (X, ©, *) a continuous (L, ©, *)-semimodule [3] if (X, ©, *) 
is an (L, ©, *)-semimodule, A is a continuous (hence complete) lattice, and 
5 : Lx X — > X is infinitely distributive w.r.t. all suprema in both variables. Then 
X with its Lawson topology is a compact Hausdorff Lawson lower semilattice 
with a top element, and 5 is jointly continuous w.r.t. the Scott topologies on L 
and X. 

For m £ M[l]D, we define a m to be a least predicate m! : D — >• L such 
that a * m(b) ^ m'(b) for all b £ D, i.e., «0m = (a * to)". Then: 

(a to)(6) = inf{a * m(a) | a € D, a <C 6}. 

For to £ M[ L ]D, we need to "adjust" the result: 

, - \n\ , - \ / i\ — r-n I (a to)(6), 6^0; 

[1, 6 = 0. 
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Lemma 1.8. For a, j3 £ L, to £ M\vp : 

a Q((3 m) = (a* (3)Qm. 

Proof. By Remark 11.71 

a ©(/? to) = (a * (J3 * to)")" = (a * (j8 * to))" = (a * /3) © to. 

□ 

Now the equality 

a ©(/3 © to) = (a * 0) © to 

for all a, f3 £ L, m £ M^D is immediate. Both operations and © are 
infinitely distributive w.r.t. supremum in the both arguments (because * is 
such an operation); hence, both are lower semicontinuous. Using routine, but 
straightforward calculations ([HI; the same but in terms of hyperspaces in [ijj]) 
we obtain: 

Proposition 1.9. The triples (M^D, ©, ©) and (M^jD,©, ©) are continuous 
(L, ©, *)-semimodules. 

Remark 1.10. It is easy to see that, if * is also infinitely distributive w.r.t. 
infimum, then a * m e [D -> L op ] op for all a e L, to e [£> -> L°P} op . Therefore, 
in this case aQm coincides with a * m. 

For two predicates mi, to-2 : D ^ L, their join (i.e., the argumentwise supre- 
mum) mi © TO2 can be interpreted as disjunction: "toi or TO2" . Multiplication 
of a predicate m : D — > L by a 6 i either does not change this predicate or 
makes it more "pessimistic" , or, equivalently, more "demanding" . Since the sets 
of L-fuzzy monotonic predicates are "vector-like" spaces, we can apply to them 
the tools of idempotent linear algebra and idempotent functional analysis, al- 
though these theories are rather limited and poor comparing to the "conven- 
tional" classical analogues. In particular, results of [lj| allow: 

• to approximate L-fuzzy monotonic predicates from below and from above 
with predicates that attain only finite sets of values; 

• to study and approximate predicates with special properties, e.g., meet- 
and join-preserving; and 

• to construct the predicate that is dual to a given one, if the latter expresses 
an undesirable property which have to be avoided, etc. 

2. Strongest postcondition predicate transformers 

We treat each mapping to : D — > L as "it is known that, for each d £ D, its 
truth value is at least to(cZ)". Similarly, an arbitrary mapping ip : D — > Mi L iD' 
is interpreted as "if a £ D is true, then the truth value of each b £ D' is at least 
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99(a)(6)". Note that 99(a)(6) is implicitly considered as a "conditional" truth 
value, i.e., if a is "partially true" at a degree ^ a, then 6 is true at least at 
a degree a * 99(a)(6). 

Hence, such a 99 is an L-fuzzy siaie transformer. For a given 99, we say that 
to : D — > L is a •precondition and m' : D' — > L is a postcondition for each other 
w.r.t. 93, if, for all a G 13 and 6 G £>', the "guaranteed" truth value m'(b) is 
greater or equal to m{a) * 99(a)(6), i.e., to the result of modus ponens. 

Obviously, for an antitonc function m : D — > L, its strongest (least) post- 
condition sj>(ip)(m) in Mr L iD' is determined by the equality 

sg(p)(m)(6) = inf {sup{m(a) * ip(a)(b') | a G -D} | 6' G D', b' <C 6}, 6 G £>'. 

Again, if we restrict ourselves to normalized predicates, the strongest post- 
condition must be corrected: 

.pfcOMW = ffl fc0(m)(6)etf = 

It is easy to see that, for all <i G D and isotone 99 : D —tM^D', we have 
sp(ip)(n[r.]D(d)) = 99(d), hence sj)(ip) is an isotone extension of 99. Similarly, for 
an isotone mapping 99 : D —> MmD' , the mapping sp(ip) (nn D(d)) is an isotone 
extension as well. The mapping sjj(ip) and sp(ip) are called (L-fuzzy) strongest 
postcondition predicate transformers induced by the state transformer 99, and 
are analogues of crisp (i.e., Boolean) predicate transformers, which were in- 
troduced by Dijkstra 6]. Compare also with the weakest precondition predicate 
transformers, cf. [3|, |J] . Their L- valued "angelic" and "demonic" analogues were 
introduced and investigated in Q by means of topology. The latter reference 
contains also an example of a security system, which analyzes security threats 
of different severity and nature and imposes security measures of the corre- 
sponding level. This is naturally expressed with elements of lattices; therefore 
the authors propose to "consider possible definitions for lattice- valued predicate 
transformers" . Here is another example. 

Example 2.1. Assume that a program processes a sequence of n frames. The qual- 
ity Si of i-th frame is rated in the scale L — {0, 1, . . . , to}. The domain of compu- 
tation is equal to D — L n , and the meaning of d = (d\, d®, ■ ■ ■ , d m ) is u s% ^ d\, 
S2 ^ 02, . . . , s n ^ d n " . The multiplication i*j = max{i + j — to, 0} is consid- 
ered on L, making it a finite quantale. The truth value of d = (di, d2, ■ . . , d n ) 
is defined as 

max{fc e L \ Si ^ di * k for all i = 1, 2, . . . , n} 

(observe that it is m s (d) for s = (s\, S2, ■ ■ ■ , s n ), cf. Example II -2[) . Assume 
that it is known that, if the quality of i-th frame, < i < n, is ^ k — 1, 
and the quality of the two neighboring frames is ^ k, then, after the program 
execution, the quality of i-th frame will be k, for all 1 ^ k ^ to. This 
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information can be expressed via the state transformer ip : D — ► Mi L ^D that 
sends 

s = (0, . . . , m , m — 1, to ..... 0), for < i < n, 

i-l i i+l 

to TOg, where 

g=(0,...,.0 m, 0), 

and all other s e Dto the constant zero predicate. Similarly we can add the fact 
that the quality of each frame will not be worse than before, etc. The result- 
ing predicate transformer S]j((p) : Mi L ^D — > M^iD sends a known quality of 
the frames before the program run to the most guaranteed quality after its 
execution. 

To simplify our exposition, we consider in this section not necessarily nor- 
malized monotonic predicates. 

Lemma 2.2. With respect to a Scott continuous mapping tp : D — > M^D' , 
a monotonic predicate to' : D' — >• L is a postcondition for an antitone function 
m : D — >• L if and only if to' is a postcondition for to" : D — > L. 

Proof. Since to ^ m u , "if" is immediate. Let m'(b) m{a) * ip(a)(b) for all 
a e D, b e D'. Then m'(b) ^ m(a') * tp(a')(b) ^ m u (a) * tp(a')(b) for all a' < a. 
This implies to' ^ m u (a) * sup p tp(a'), therefore by Lemma [L~6l 

a'<a 

to' ^ TO u (a) * (sup p <p(a')) u = TO u (a) * sup tp(a!) = m u (a) * tp(a'), 

a'<a a '« a 

the last equality is due to the Scott continuity of ip. □ 

Proposition 2.3. Let tp be a mapping D — > M^D 1 . Then sjj(ip) : M[l]D — > 
Mt L -\D' preserves joins (hence finite suprema). For an isotone p, the mapping 
sj>((p) preserves all suprema if and only if tp is Scott continuous, i.e., preserves 
directed suprema. 

Proof. Let to = TOiffim-2, for to,toi,TO2 € Mi L iD. Then, for ml 6 M, L ^D', 
a G D, b G D' , the inequality m'(b) ^ (mi©m2)(a) * tp(a)(b) is valid if and 
only if both m'(b) mi (a) * <p(a)(b) and m'(b) m^ia) * tp(a)(b) are satisfied. 
Therefore 

min{m' G M[l] d> I m '(°) 5 s (™i © m 2 )(a) * 95(a)(6) for all a G D, b G £>'} = 
min{m' G MmD' | m'(b) ^ mi (a) * <p(a)(b) for all a e D, b G D'} © 
min{TO' G M [L] D' \ ml '(b) ^ m 2 (a) * <p(a)(b) for all a G D, b G D'}, 

i.e., 

sp(</?)(mi © m 2 ) = sg(v)(mi) © sg(v)(w2). 
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Now let if be isotone. If sjj((p) preserves all suprema, than it is Scott con- 
tinuous, as well as <p = sjp(tp) o nnD'. 

If ip is Scott continuous and {rrii \ i £ 1} C Mr L iD, then due to monotonicity 

sj)(ip) (sup nii) sup sj>(ip)(mi). 
iei iei 

On the other hand, sup sj)((p)(mi) is a postcondition for all m,; hence by 

Lemma 12.21 for (sup p mi) M = supmj. Therefore 

iei ieI 

supse(v3)(mj) > se(^)(supmi), 
iex iei 

and sjg(ip) preserves all suprema. □ 



Unfortunately, an analogue of Proposition 12.31 for lower topologies is not 
valid, even if * is infinitely distributive w.r.t. both suprema and infima. 

Example 2.4. Let D = {0, 1, l'}U{l+~ | n = 1, 2, 3, . . . } with the usual numeric 
order, except that 1' is an extra copy of 1, and 1 and 1' are incomparable. 
Each directed set in D has a greatest element, hence D is a directed complete 
continuous poset. Thus D is an incomplete continuous semilattice with a least 
element 0. All upper sets in D are lower closed and Scott open; therefore 
all isotone mappings from D to any poset are continuous w.r.t. both the lower 
and the Scott topologies. 

Also, let L = D' = {0,1}; * = A; and <p : D — > Mr L iD' be an isotone 
mapping defined as follows: 




Then 

ss(<p)(m)(0) = 



tp(d) = < ' d G D. 

\6?,dt {0,1,1'}, 



1 if there is d € {1 + A | n = 1, 2, 3, . . . }, m(d) = 1, 
otherwise. 



Therefore there is a greatest element ni\ in the complement of the preimage 
S2?M-W}T) inM [L] D: 



/ n J Me {0,1,1'}, 
|0,dg {0,1,1'}, 

Hovewer, there are no minimal elements in the preimage itself; hence it is not 
lower closed. 

Thus sj)(ip)(m)(0) is not lower continuous. 
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To obtain the required analogue, we must apply additional requirements. 

Proposition 2.5. Let D and D' be complete continuous semilattices, ip : D — > 
Mr L iD' an isotone mapping, and *:IxI->L infinitely distributive also w.r.t. 
infimum in both variables. Then sp(ip) is lower continuous if and only if ip is 
lower continuous, and in this case sj)(ip) is defined by a simpler formula: 

sj)(<p)(m)(b) — sup{m(a) * ip(a)(b) | a £ D}, b £ D'. 

Proof. Recall that such an operation * : L x L — > L is continuous w.r.t. the lower 
and the Lawson topologies on L, while the previously required infinite distribu- 
tivity w.r.t. supremum implies only the Scott continuity of ip. The semilattices 
D and D 1 with the Lawson topologies are compact Hausdorff topological semi- 
lattices. 

Necessity is due to Lemma [TT3l because ip = sj>((p)orj^D, and rjinD is lower 
continuous. 

Sufficiency. The mapping that sends each a £ D to m(a) * tp(a) £ Mr L iD is 
continuous w.r.t. the Lawson topology on D and the lower topology on Mi L iD. 
Hence the set {m(a) * <p{a) \ a £ D} is compact in the lower topology on 
Mt L -\D. By Lemma [1.51 its pointwise limit is in M^D; therefore it coincides 
with sj>(ip)(m). 

Let m £ M[l] d \ Ss( l Py 1 ({ m '}'t), m' £ M[l] d '^ then 8g(<p)(m)(b) = 
sup{m(a) * ip(a)(b) \ a £ D} = 7 ^ m'(b) for some b £ D' . 

The set {(m(a), (p(a)(b)) \ a £ D} is contained in the closed, therefore com- 
pact, lower set {(a, (3) £LxL\a*f3^ 7}. The operation * is isotone and 
Lawson continuous. Hence there are a.\, (3\, . . . , a n , f3 n £ L such that the open 
set 

U = (L x L)\ ({ai}t x {A}! U • • • U {a„}| x {/3„}t) 

contains 

{{a, (3) £LxL\a*/3^j}, 

and sup{a * (3 | (a, 13) £ U} = 7' ^ m'(b). By the above, for neither of 
a £ D and i = 1, . . . , n, the inequalities m(a) ^ on and ip(a)(b) ft are valid 
simultaneously. The set 

Bi = {a £ D I V {a){b) > ft} = {a £ D \ <p(a) > ft * n [L] D'{b)} 

is closed w.r.t. the lower topology due to the continuity of ip. It has an empty 
intersection with the Scott closed set 

Ai — {a £ D m{a) ^ c^}. 

By compactness, there is a finite collection an, . . . , £ D such that the 

set 

{a £ D I dij $J a for some 1 ^ j ' ^ fcj} 
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contains Bi and has an empty intersection with A%. Then the set 

V = {c G M[l]D c ^ a i * V[L]D(ciij) for all 1 ^ i ^ n, 1 ^ j ^ fcj} 

is an open neighborhood of m in the lower topology, and, if c G V, then c(a) ^ ctj 
whenever y>(a)(6) ^ 1 ^ i < n. 
Therefore, if c G V, then 

sup{c(a) * p(a)(b) \ a G £>} < i > m'(6), 

hence sp(y) (c)(6) j£ m'(b), and all preimages s2?(y)~ 1 ('{W}t) are closed, which 
implies the required continuity of sj)(p). □ 

Proposition 2.6. Le£ ip be a mapping D — > M^D'. If (a) tp is Scott con- 
tinuous, or (b) * is infinitely distributive w.r.t. infimum, then the mapping 
sp(ip) : MrjnD — > Mt L iD' is linear. 



Proof. Join preservation is due to Proposition [ 

Let a mapping ip : D — > Mt L iD' be Scott continuous (a). Then: 



sj)(ip)(a to) = sj?(ip)((a * m) u ) Lcmma ^ sj){jp){a * to) = 
(sup p a * m(a) * (p(a)) u Lcmma ^ a ^ ( SU p^ m (a) * <p(a)) u ) u = a0 s^((p)(m). 

a£D aeD 

Assume (b). Then: 

sj)(p)(a m)(6) = sj){p)(ct * m)(6) = 
inf {sup{a * m(a) * p(a)(b') \ a G D} | 6' G £>', 6' < 6} = 
inf {a * sup{to(o) * <p{a)(b') \ a G £>} | 6' G D', 6' < 6} = 
a * inf |sup{TO,(a) * <p(a)(b') \ a G D} | 6' G D', 6' < 6} = 
a0sp(<£>)(m)(6), for all to g Mrj,iD,6 G D'. 

□ 

Remark 2.7. In the presence of (a) or (b), the mapping sj)(ip) can be character- 
ized as the least linear mapping $ : M\l]D —> Mr L iD' such that $>(r][L]D(d)) = 
ip(d) for all ale D. 

Remark 2.8. j4ZZ statements in this section have straightforward analogues for 
normalized predicates. The only significant distinction is that, if a mapping 
p : D — >• MrnD' satisfies the conditions that are analogous to ones of 12.61 then 
the mapping sp(ip) : My L ^D — > Mt^-iD' is affine, instead of linear. Proofs can be 
obtained mutatis mutandis, without any major changes. 
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Epilogue 



Wc have shown that L-fuzzy strongest postcondition predicate transformers 
are related to L-idcmpotcnt linear or affine operators between continuous L- 
scmimodules. Now it is possible to study linear and affine approximations of 
predicate transformers from above and from below. These approximations are 
related to attempts to describe a program behaviour in a more economical way, 
dropping less important details. 

It has been observed, e.g., by Doberkat 0| that monads and Kleisli composi- 
tion arise in description of combining several programs into a pipe and compos- 
ing the respective predicate transformers. While, for probabilistic programs, 
these monads are based on (sub)probability measures, for non-probabilistic 
fuzzy semantics we propose to use monads of lattice- valued non-additive mea- 
sures 



i2H- 



Treatment of L-fuzzy weakest precondition predicate transformers, similar 
to a proposed one for strongest precondition predicate transformers, as well as 
a demonstration that relations between these classes can be properly expressed 
in terms of category theory, will be the topic of our future publications. In 
particular, Galois connections [l^ | will be used to investigate compatibility of 
L-fuzzy knowledge and of nondeterministic programs. 
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